CVE-2026-45739
MEDIUM EPSS 12.2%
Published Jun 4, 20263w ago · Modified Jun 17, 20261w ago
4.3 CVSS 3.1
Published Jun 4, 2026 3w ago
Last Modified Jun 17, 2026 1w ago
Description
Strawberry GraphQL is a library for creating GraphQL APIs. In versions 0.288.4 through 0.315.3, Strawberry's bundled GraphiQL template wrote values from the GraphiQL headers editor into the browser URL query string. If a user entered a sensitive header, such as `Authorization: Bearer <token>`, the value could become visible in browser history, copied links, and server/proxy/CDN access logs after a page reload or shared request. Version 0.315.4 patches the issue.
CVSS Details
Base Score
Exploitability
Impact
Vector string
CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N Attack Vector Network
Attack Complexity Low
Privileges Required None
User Interaction Required
Scope Unchanged
Confidentiality Low
Integrity None
Availability None
Threat Intelligence
EPSS Exploit Probability
12.2% percentile
Exploit & Patch Status
No Known Exploit
Patch Available
Weaknesses 2
CWE-200 Exposure of Sensitive Information to an Unauthorized Actor Information Exposure
CWE-201
Affected Products 1
| Vendor | Product | Version | Range |
|---|---|---|---|
| strawberry | strawberry_graphql | * | ≥0.288.4 – <0.315.4 |
References 5
- github.com https://github.com/strawberry-graphql/strawberry/commit/9315ef80a621ae50ca0bc5c82f560ca4ee7e47a9
- github.com https://github.com/strawberry-graphql/strawberry/issues/4398
- github.com https://github.com/strawberry-graphql/strawberry/pull/2842
- github.com https://github.com/strawberry-graphql/strawberry/releases/tag/0.315.4
- github.com https://github.com/strawberry-graphql/strawberry/security/advisories/GHSA-x97m-qp5c-w9xj
Remediation
- github.com https://github.com/strawberry-graphql/strawberry/commit/9315ef80a621ae50ca0bc5c82f560ca4ee7e47a9
- github.com https://github.com/strawberry-graphql/strawberry/pull/2842